Amebis/GEANTLink
Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

TLS implementation continues...

Browse Source
This commit is contained in:
Simon Rozman 2016-08-09 18:37:12 +02:00
parent ba5bf1e533
commit e92f47677d
6 changed files with 763 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/Common.props
View File

@ -32,7 +32,7 @@
<ItemDefinitionGroup>
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<PreprocessorDefinitions>_WIN32_WINNT=0x0600;ISOLATION_AWARE_ENABLED=1;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>_WIN32_WINNT=0x0600;ISOLATION_AWARE_ENABLED=1;CERT_CHAIN_PARA_HAS_EXTRA_FIELDS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PrecompiledHeader>Use</PrecompiledHeader>
<PrecompiledHeaderFile>StdAfx.h</PrecompiledHeaderFile>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>

6
lib/EAPBase/src/Method.cpp
View File

@ -67,9 +67,9 @@ eap::method& eap::method::operator=(_In_ const method &other)
eap::method& eap::method::operator=(_Inout_ method &&other)
{
if (this != std::addressof(other)) {
assert(std::addressof(m_module) == std::addressof(other.m_module)); // Copy method within same module only!
assert(std::addressof(m_cfg ) == std::addressof(other.m_cfg )); // Copy method with same configuration only!
assert(std::addressof(m_cred ) == std::addressof(other.m_cred )); // Copy method with same credentials only!
assert(std::addressof(m_module) == std::addressof(other.m_module)); // Move method within same module only!
assert(std::addressof(m_cfg ) == std::addressof(other.m_cfg )); // Move method with same configuration only!
assert(std::addressof(m_cred ) == std::addressof(other.m_cred )); // Move method with same credentials only!
}
return *this;

BIN
lib/Events/res/EventsETW.man
View File

Binary file not shown.

259
lib/TLS/include/Method.h
View File

@ -83,16 +83,59 @@ namespace eap
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter: A.4. Handshake Protocol](https://tools.ietf.org/html/rfc5246#appendix-A.4)
///
enum handshake_type_t {
hello_request = 0,
client_hello = 1,
server_hello = 2,
certificate = 11,
server_key_exchange = 12,
certificate_request = 13,
server_hello_done = 14,
certificate_verify = 15,
client_key_exchange = 16,
finished = 20
handshake_type_hello_request = 0,
handshake_type_client_hello = 1,
handshake_type_server_hello = 2,
handshake_type_certificate = 11,
handshake_type_server_key_exchange = 12,
handshake_type_certificate_request = 13,
handshake_type_server_hello_done = 14,
handshake_type_certificate_verify = 15,
handshake_type_client_key_exchange = 16,
handshake_type_finished = 20
};
///
/// TLS alert level
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter: 7.2. Alert Protocol)](https://tools.ietf.org/html/rfc5246#section-7.2)
///
enum alert_level_t {
alert_level_warning = 1,
alert_level_fatal = 2,
};
///
/// TLS alert description
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter: 7.2. Alert Protocol)](https://tools.ietf.org/html/rfc5246#section-7.2)
///
enum alert_desc_t {
alert_desc_close_notify = 0,
alert_desc_unexpected_message = 10,
alert_desc_bad_record_mac = 20,
alert_desc_decryption_failed = 21, // reserved
alert_desc_record_overflow = 22,
alert_desc_decompression_failure = 30,
alert_desc_handshake_failure = 40,
alert_desc_no_certificate = 41, // reserved
alert_desc_bad_certificate = 42,
alert_desc_unsupported_certificate = 43,
alert_desc_certificate_revoked = 44,
alert_desc_certificate_expired = 45,
alert_desc_certificate_unknown = 46,
alert_desc_illegal_parameter = 47,
alert_desc_unknown_ca = 48,
alert_desc_access_denied = 49,
alert_desc_decode_error = 50,
alert_desc_decrypt_error = 51,
alert_desc_export_restriction = 60, // reserved
alert_desc_protocol_version = 70,
alert_desc_insufficient_security = 71,
alert_desc_internal_error = 80,
alert_desc_user_canceled = 90,
alert_desc_no_renegotiation = 100,
alert_desc_unsupported_extension = 110,
};
///
@ -210,6 +253,58 @@ namespace eap
};
#pragma pack(pop)
#pragma pack(push)
#pragma pack(1)
///
/// Master secret
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (8.1. Computing the Master Secret)](https://tools.ietf.org/html/rfc5246#section-8.1)
///
struct master_secret {
unsigned char data[48];
///
/// Constructs a all-zero master secret
///
master_secret();
///
/// Constructs a pre-master secret
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4.7.1. RSA-Encrypted Premaster Secret Message)](https://tools.ietf.org/html/rfc5246#section-7.4.7.1)
///
/// \param[in] cp Handle of the cryptographics provider
///
master_secret(_In_ HCRYPTPROV cp);
///
/// Copies a master secret
///
/// \param[in] other Random to copy from
///
master_secret(_In_ const master_secret &other);
///
/// Destructor
///
~master_secret();
///
/// Copies a master secret
///
/// \param[in] other Random to copy from
///
/// \returns Reference to this object
///
master_secret& operator=(_In_ const master_secret &other);
///
/// Empty the master secret
///
void clear();
};
#pragma pack(pop)
public:
///
/// Constructs an EAP method
@ -301,21 +396,93 @@ namespace eap
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4.1.2. Client Hello)](https://tools.ietf.org/html/rfc5246#section-7.4.1.2)
///
/// \returns Client Hello message
/// \returns Client hello message
///
sanitizing_blob make_client_hello() const;
///
/// Makes a TLS client certificate message
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4.6. Client Certificate)](https://tools.ietf.org/html/rfc5246#section-7.4.6)
///
/// \returns Client certificate message
///
sanitizing_blob make_client_cert() const;
///
/// Makes a TLS client key exchange message
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.4.7. Client Key Exchange Message )](https://tools.ietf.org/html/rfc5246#section-7.4.7)
///
/// \param[in] pms_enc Encoded pre master secret
///
/// \returns Client key exchange message
///
sanitizing_blob make_client_key_exchange(_In_ const sanitizing_blob &pms_enc) const;
///
/// Makes a TLS change cipher spec message
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter A.1. Record Layer)](https://tools.ietf.org/html/rfc5246#appendix-A.1)
///
/// \returns Change cipher spec
///
static eap::sanitizing_blob make_change_chiper_spec();
///
/// Makes a TLS finished message
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter A.1. Record Layer)](https://tools.ietf.org/html/rfc5246#appendix-A.1)
///
/// \returns Change cipher spec
///
eap::sanitizing_blob make_finished();
///
/// Makes a TLS handshake
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter A.1. Record Layer)](https://tools.ietf.org/html/rfc5246#appendix-A.1)
///
/// \param[in] msg Handshake data contents
/// \param[in] msg Handshake data contents
///
/// \returns TLS handshake message
///
static eap::sanitizing_blob make_handshake(_In_ const sanitizing_blob &msg);
///
/// Makes a TLS handshake
///
/// \param[in] msg Handshake data contents
/// \param[in] encrypt Should the message be encrypted?
///
/// \returns TLS handshake message
///
inline eap::sanitizing_blob make_handshake(_In_ const sanitizing_blob &msg, _In_ bool encrypted)
{
if (encrypted) {
// Make unencrypted handshake, encrypt it, then make a new handshake message.
sanitizing_blob msg_enc(std::move(make_handshake(msg)));
encrypt_message(msg_enc);
return make_handshake(msg_enc);
} else
return make_handshake(msg);
}
///
/// Generates keys required by current connection state
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 6.3. Key Calculation)](https://tools.ietf.org/html/rfc5246#section-6.3)
///
void derive_keys();
///
/// Processes messages in a TLS packet
///
/// \param[in] pck Packet data
/// \param[in] size_pck \p pck size in bytes
///
void process_packet(_In_bytecount_(size_pck) const void *pck, _In_ size_t size_pck);
///
/// Processes a TLS handshake
///
@ -326,6 +493,21 @@ namespace eap
///
void process_handshake(_In_bytecount_(msg_size) const void *msg, _In_ size_t msg_size);
///
/// Processes a TLS handshake
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 7.2. Alert Protocol)](https://tools.ietf.org/html/rfc5246#section-7.2)
///
/// \param[in] msg TLS alert message data
/// \param[in] msg_size TLS alert message data size
///
void process_alert(_In_bytecount_(msg_size) const void *msg, _In_ size_t msg_size);
///
/// Verifies server's certificate if trusted by configuration
///
void verify_server_trust();
///
/// Encrypt TLS message
///
@ -343,14 +525,34 @@ namespace eap
///
/// Calculates pseudo-random P_hash data defined in RFC 5246
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter: 5. HMAC and the Pseudorandom Function)](https://tools.ietf.org/html/rfc5246#section-5)
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.1 (Chapter 5: HMAC and the Pseudorandom Function)](https://tools.ietf.org/html/rfc4346#section-5)
///
/// \param[in] alg Hashing algorithm to use (CALG_MD5 or CALG_SHA1)
/// \param[in] secret Hashing secret key
/// \param[in] size_secret \p secret size
/// \param[in] seed Hashing seed
/// \param[in] size_seed \p seed size
/// \param[in] size Minimum number of bytes of pseudo-random data required
/// \param[in] secret Hashing secret key
/// \param[in] size_secret \p secret size
/// \param[in] lblseed Concatenated label and seed
/// \param[in] size_lblseed \p lblseed size
/// \param[in] size Number of bytes of pseudo-random data required
///
/// \returns Generated pseudo-random data (\p size bytes)
///
std::vector<unsigned char> prf(
_In_bytecount_(size_secret ) const void *secret,
_In_ size_t size_secret,
_In_bytecount_(size_lblseed) const void *lblseed,
_In_ size_t size_lblseed,
_In_ size_t size);
///
/// Calculates pseudo-random P_hash data defined in RFC 5246
///
/// \sa [The Transport Layer Security (TLS) Protocol Version 1.2 (Chapter 5: HMAC and the Pseudorandom Function)](https://tools.ietf.org/html/rfc5246#section-5)
///
/// \param[in] alg Hashing algorithm to use (CALG_MD5 or CALG_SHA1)
/// \param[in] secret Hashing secret key
/// \param[in] size_secret \p secret size
/// \param[in] seed Hashing seed
/// \param[in] size_seed \p seed size
/// \param[in] size Minimum number of bytes of pseudo-random data required
///
/// \returns Generated pseudo-random data (\p size or longer)
///
@ -382,7 +584,8 @@ namespace eap
if (!CryptHashData(hash, (const BYTE*)secret, (DWORD)size_secret, 0))
throw winstd::win_runtime_error(__FUNCTION__ " Error hashing secret.");
winstd::crypt_key key;
key.derive(m_cp, CALG_RC4, hash, 0);
if (!key.derive(m_cp, CALG_RC4, hash, 0))
throw winstd::win_runtime_error(__FUNCTION__ " Error deriving key.");
return key.detach();
}
@ -407,10 +610,14 @@ namespace eap
}
public:
config_method_tls &m_cfg; ///< EAP-TLS method configuration
credentials_tls &m_cred; ///< EAP-TLS user credentials
enum phase_t {
phase_unknown = -1,
phase_client_hello = 0,
phase_server_hello = 1,
phase_server_hello,
phase_resume_session,
} m_phase; ///< Session phase
packet m_packet_req; ///< Request packet
@ -418,7 +625,6 @@ namespace eap
winstd::crypt_prov m_cp; ///< Cryptography provider
winstd::crypt_key m_key_hmac; ///< Symmetric key for HMAC calculation
winstd::crypt_key m_key_encrypt; ///< Key for encrypting messages
winstd::crypt_key m_key_decrypt; ///< Key for decrypting messages
@ -429,11 +635,16 @@ namespace eap
std::list<winstd::cert_context> m_server_cert_chain; ///< Server certificate chain
bool m_send_client_cert; ///< Did server request client certificate?
winstd::crypt_hash m_hash_handshake_msgs_md5; ///< Running MD5 hash of handshake messages sent
winstd::crypt_hash m_hash_handshake_msgs_sha1; ///< Running SHA-1 hash of handshake messages sent
master_secret m_master_secret; ///< TLS master secret
bool m_send_client_cert; ///< Did server request client certificate?
//bool m_server_hello_done; ///< Is server hello done?
bool m_server_finished; ///< Did server send a valid finish message?
bool m_cipher_spec; ///< Did server specify cipher?
protected:
unsigned __int64 m_seq_num; ///< Sequence number for encryption
};

556
lib/TLS/src/Method.cpp
View File

@ -131,13 +131,65 @@ void eap::method_tls::random::clear()
}
//////////////////////////////////////////////////////////////////////
// eap::method_tls::master_secret
//////////////////////////////////////////////////////////////////////
eap::method_tls::master_secret::master_secret()
{
memset(data, 0, sizeof(data));
}
eap::method_tls::master_secret::master_secret(_In_ HCRYPTPROV cp)
{
data[0] = 3;
data[1] = 1;
if (!CryptGenRandom(cp, sizeof(data) - 2, data + 2))
throw win_runtime_error(__FUNCTION__ " Error creating PMS randomness.");
}
eap::method_tls::master_secret::master_secret(_In_ const master_secret &other)
{
memcpy(data, other.data, sizeof(data));
}
eap::method_tls::master_secret::~master_secret()
{
SecureZeroMemory(data, sizeof(data));
}
eap::method_tls::master_secret& eap::method_tls::master_secret::operator=(_In_ const master_secret &other)
{
if (this != std::addressof(other))
memcpy(data, other.data, sizeof(data));
return *this;
}
void eap::method_tls::master_secret::clear()
{
memset(data, 0, sizeof(data));
}
//////////////////////////////////////////////////////////////////////
// eap::method_tls
//////////////////////////////////////////////////////////////////////
eap::method_tls::method_tls(_In_ module &module, _In_ config_method_tls &cfg, _In_ credentials_tls &cred) :
m_cfg(cfg),
m_cred(cred),
m_phase(phase_unknown),
m_send_client_cert(false),
//m_server_hello_done(false),
m_server_finished(false),
m_cipher_spec(false),
m_seq_num(0),
method(module, cfg, cred)
{
@ -145,6 +197,8 @@ eap::method_tls::method_tls(_In_ module &module, _In_ config_method_tls &cfg, _I
eap::method_tls::method_tls(_In_ const method_tls &other) :
m_cfg(other.m_cfg),
m_cred(other.m_cred),
m_phase(other.m_phase),
m_packet_req(other.m_packet_req),
m_packet_res(other.m_packet_res),
@ -152,9 +206,13 @@ eap::method_tls::method_tls(_In_ const method_tls &other) :
m_random_server(other.m_random_server),
m_session_id(other.m_session_id),
m_server_cert_chain(other.m_server_cert_chain),
m_send_client_cert(other.m_send_client_cert),
m_hash_handshake_msgs_md5(other.m_hash_handshake_msgs_md5),
m_hash_handshake_msgs_sha1(other.m_hash_handshake_msgs_sha1),
m_master_secret(other.m_master_secret),
m_send_client_cert(other.m_send_client_cert),
//m_server_hello_done(other.m_server_hello_done),
m_server_finished(other.m_server_finished),
m_cipher_spec(other.m_cipher_spec),
m_seq_num(other.m_seq_num),
method(other)
{
@ -162,6 +220,8 @@ eap::method_tls::method_tls(_In_ const method_tls &other) :
eap::method_tls::method_tls(_Inout_ method_tls &&other) :
m_cfg(other.m_cfg),
m_cred(other.m_cred),
m_phase(std::move(other.m_phase)),
m_packet_req(std::move(other.m_packet_req)),
m_packet_res(std::move(other.m_packet_res)),
@ -169,9 +229,13 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) :
m_random_server(std::move(other.m_random_server)),
m_session_id(std::move(other.m_session_id)),
m_server_cert_chain(std::move(other.m_server_cert_chain)),
m_send_client_cert(std::move(other.m_send_client_cert)),
m_hash_handshake_msgs_md5(std::move(other.m_hash_handshake_msgs_md5)),
m_hash_handshake_msgs_sha1(std::move(other.m_hash_handshake_msgs_sha1)),
m_master_secret(std::move(other.m_master_secret)),
m_send_client_cert(std::move(other.m_send_client_cert)),
//m_server_hello_done(std::move(other.m_server_hello_done)),
m_server_finished(std::move(other.m_server_finished)),
m_cipher_spec(std::move(other.m_cipher_spec)),
m_seq_num(std::move(other.m_seq_num)),
method(std::move(other))
{
@ -181,6 +245,8 @@ eap::method_tls::method_tls(_Inout_ method_tls &&other) :
eap::method_tls& eap::method_tls::operator=(_In_ const method_tls &other)
{
if (this != std::addressof(other)) {
assert(std::addressof(m_cfg ) == std::addressof(other.m_cfg )); // Copy method with same configuration only!
assert(std::addressof(m_cred) == std::addressof(other.m_cred)); // Copy method with same credentials only!
(method&)*this = other;
m_phase = other.m_phase;
m_packet_req = other.m_packet_req;
@ -189,9 +255,13 @@ eap::method_tls& eap::method_tls::operator=(_In_ const method_tls &other)
m_random_server = other.m_random_server;
m_session_id = other.m_session_id;
m_server_cert_chain = other.m_server_cert_chain;
m_send_client_cert = other.m_send_client_cert;
m_hash_handshake_msgs_md5 = other.m_hash_handshake_msgs_md5;
m_hash_handshake_msgs_sha1 = other.m_hash_handshake_msgs_sha1;
m_master_secret = other.m_master_secret;
m_send_client_cert = other.m_send_client_cert;
//m_server_hello_done = other.m_server_hello_done;
m_server_finished = other.m_server_finished;
m_cipher_spec = other.m_cipher_spec;
m_seq_num = other.m_seq_num;
}
@ -202,6 +272,8 @@ eap::method_tls& eap::method_tls::operator=(_In_ const method_tls &other)
eap::method_tls& eap::method_tls::operator=(_Inout_ method_tls &&other)
{
if (this != std::addressof(other)) {
assert(std::addressof(m_cfg ) == std::addressof(other.m_cfg )); // Move method with same configuration only!
assert(std::addressof(m_cred) == std::addressof(other.m_cred)); // Move method with same credentials only!
(method&)*this = std::move(other);
m_phase = std::move(other.m_phase);
m_packet_req = std::move(other.m_packet_req);
@ -210,9 +282,13 @@ eap::method_tls& eap::method_tls::operator=(_Inout_ method_tls &&other)
m_random_server = std::move(other.m_random_server);
m_session_id = std::move(other.m_session_id);
m_server_cert_chain = std::move(other.m_server_cert_chain);
m_send_client_cert = std::move(other.m_send_client_cert);
m_hash_handshake_msgs_md5 = std::move(other.m_hash_handshake_msgs_md5);
m_hash_handshake_msgs_sha1 = std::move(other.m_hash_handshake_msgs_sha1);
m_master_secret = std::move(other.m_master_secret);
m_send_client_cert = std::move(other.m_send_client_cert);
//m_server_hello_done = std::move(other.m_server_hello_done);
m_server_finished = std::move(other.m_server_finished);
m_cipher_spec = std::move(other.m_cipher_spec);
m_seq_num = std::move(other.m_seq_num);
}
@ -229,7 +305,7 @@ void eap::method_tls::begin_session(
eap::method::begin_session(dwFlags, pAttributeArray, hTokenImpersonateUser, dwMaxSendPacketSize);
// Create cryptographics provider.
if (!m_cp.create(NULL, MS_ENHANCED_PROV, PROV_RSA_FULL, 0))
if (!m_cp.create(NULL, MS_ENHANCED_PROV, PROV_RSA_FULL))
throw win_runtime_error(__FUNCTION__ " Error creating cryptographics provider.");
}
@ -246,7 +322,7 @@ void eap::method_tls::process_request_packet(
if (dwReceivedPacketSize < 6)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Packet is too small. EAP-%s packets should be at least 6B.");
//else if (pReceivedPacket->Data[0] != eap_type_tls) // Skip method check, to allow TTLS extension.
// throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, wstring_printf(_T(__FUNCTION__) _T(" Packet is not EAP-TLS (expected: %u, received: %u)."), eap_type_tls, pReceivedPacket->Data[0]).c_str());
// throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, string_printf(__FUNCTION__ " Packet is not EAP-TLS (expected: %u, received: %u).", eap_type_tls, pReceivedPacket->Data[0]));
// Get packet data pointer and size for more readable code later on.
const unsigned char *packet_data_ptr;
@ -312,17 +388,21 @@ void eap::method_tls::process_request_packet(
throw win_runtime_error(__FUNCTION__ " Error creating client randomness.");
m_random_server.clear();
m_server_cert_chain.clear();
m_send_client_cert = false;
m_session_id.clear();
// Create MD5 hash object.
if (!m_hash_handshake_msgs_md5.create(m_cp, CALG_MD5, NULL, 0))
if (!m_hash_handshake_msgs_md5.create(m_cp, CALG_MD5))
throw win_runtime_error(__FUNCTION__ " Error creating MD5 hashing object.");
// Create SHA-1 hash object.
if (!m_hash_handshake_msgs_sha1.create(m_cp, CALG_SHA1, NULL, 0))
if (!m_hash_handshake_msgs_sha1.create(m_cp, CALG_SHA1))
throw win_runtime_error(__FUNCTION__ " Error creating SHA-1 hashing object.");
m_master_secret.clear();
m_send_client_cert = false;
//m_server_hello_done = false;
m_server_finished = false;
m_cipher_spec = false;
m_seq_num = 0;
}
@ -355,29 +435,89 @@ void eap::method_tls::process_request_packet(
m_packet_res.m_id = m_packet_req.m_id;
m_packet_res.m_flags = 0;
sanitizing_blob hello(make_client_hello());
sanitizing_blob handshake(make_handshake(hello));
sanitizing_blob handshake(make_handshake(hello, m_cipher_spec));
m_packet_res.m_data.assign(handshake.begin(), handshake.end());
pEapOutput->fAllowNotifications = FALSE;
pEapOutput->action = EapPeerMethodResponseActionSend;
// Hash the client_hello message.
CryptHashData(m_hash_handshake_msgs_md5 , hello.data(), (DWORD)hello.size(), 0);
CryptHashData(m_hash_handshake_msgs_sha1, hello.data(), (DWORD)hello.size(), 0);
pEapOutput->fAllowNotifications = FALSE;
pEapOutput->action = EapPeerMethodResponseActionSend;
m_phase = phase_server_hello;
break;
}
case phase_server_hello: {
if (m_packet_req.m_data.size() < 5)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, string_printf(__FUNCTION__ " TLS message too small (expected >=5, received %uB).", m_packet_req.m_data.size()));
const message *msg = (const message*)m_packet_req.m_data.data();
if (msg->type != message_type_handshake)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, string_printf(__FUNCTION__ " Wrong TLS message (expected %u, received %uB).", message_type_handshake, msg->type));
process_packet(m_packet_req.m_data.data(), m_packet_req.m_data.size());
process_handshake(msg->data, std::min<size_t>(ntohs(*(unsigned short*)msg->length), m_packet_req.m_data.size() - 5));
if (m_server_cert_chain.empty())
throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Can not continue without server's certificate.");
//break;
verify_server_trust();
// Build response packet.
m_packet_res.m_code = EapCodeResponse;
m_packet_res.m_id = m_packet_req.m_id;
m_packet_res.m_flags = 0;
m_packet_res.m_data.clear();
if (!m_server_finished || !m_cipher_spec) {
// New session.
if (m_send_client_cert) {
// Client certificate requested, and append to packet.
sanitizing_blob client_cert(make_client_cert());
sanitizing_blob handshake(make_handshake(client_cert, m_cipher_spec));
m_packet_res.m_data.insert(m_packet_res.m_data.end(), handshake.begin(), handshake.end());
CryptHashData(m_hash_handshake_msgs_md5 , client_cert.data(), (DWORD)client_cert.size(), 0);
CryptHashData(m_hash_handshake_msgs_sha1, client_cert.data(), (DWORD)client_cert.size(), 0);
}
// Generate pre-master secret and encrypt it. PMS will get sanitized in its destructor when going out-of-scope.
master_secret pms(m_cp);
sanitizing_blob pms_enc((const unsigned char*)&pms, (const unsigned char*)(&pms + 1));
crypt_key key;
if (!key.import_public(m_cp, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(m_server_cert_chain.front()->pCertInfo->SubjectPublicKeyInfo)))
throw win_runtime_error(__FUNCTION__ " Error importing server's public key.");
if (!CryptEncrypt(key, NULL, TRUE, 0, pms_enc))
throw win_runtime_error(__FUNCTION__ " Error encrypting PMS.");
// Derive master secret.
vector<unsigned char> lblseed, hash;
const unsigned char s_label[] = "master secret";
lblseed.assign(s_label, s_label + _countof(s_label) - 1);
lblseed.insert(lblseed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
lblseed.insert(lblseed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
memcpy(&m_master_secret, prf(&pms, sizeof(pms), lblseed.data(), lblseed.size(), sizeof(m_master_secret)).data(), sizeof(m_master_secret));
// Create client key exchange message, and append to packet.
sanitizing_blob client_key_exchange(make_client_key_exchange(pms_enc));
sanitizing_blob handshake(make_handshake(client_key_exchange, m_cipher_spec));
m_packet_res.m_data.insert(m_packet_res.m_data.end(), handshake.begin(), handshake.end());
CryptHashData(m_hash_handshake_msgs_md5 , client_key_exchange.data(), (DWORD)client_key_exchange.size(), 0);
CryptHashData(m_hash_handshake_msgs_sha1, client_key_exchange.data(), (DWORD)client_key_exchange.size(), 0);
}
// Append change cipher spec to packet.
sanitizing_blob ccs(make_change_chiper_spec());
m_packet_res.m_data.insert(m_packet_res.m_data.end(), ccs.begin(), ccs.end());
if (!m_server_finished || !m_cipher_spec) {
// Setup encryption.
derive_keys();
m_cipher_spec = true;
}
sanitizing_blob finished(make_finished());
sanitizing_blob handshake(make_handshake(finished, m_cipher_spec));
m_packet_res.m_data.insert(m_packet_res.m_data.end(), handshake.begin(), handshake.end());
CryptHashData(m_hash_handshake_msgs_md5 , finished.data(), (DWORD)finished.size(), 0);
CryptHashData(m_hash_handshake_msgs_sha1, finished.data(), (DWORD)finished.size(), 0);
pEapOutput->fAllowNotifications = FALSE;
pEapOutput->action = EapPeerMethodResponseActionSend;
m_phase = phase_resume_session;
//break; // Leave commented until finished.
}
default:
@ -474,7 +614,7 @@ eap::sanitizing_blob eap::method_tls::make_client_hello() const
// SSL header
assert(size_data <= 0xffffff);
unsigned int ssl_header = htonl(((unsigned int)client_hello << 24) | (unsigned int)size_data);
unsigned int ssl_header = htonl(((unsigned int)handshake_type_client_hello << 24) | (unsigned int)size_data);
msg.insert(msg.end(), (unsigned char*)&ssl_header, (unsigned char*)(&ssl_header + 1));
// SSL version: TLS 1.0
@ -503,9 +643,124 @@ eap::sanitizing_blob eap::method_tls::make_client_hello() const
}
eap::sanitizing_blob eap::method_tls::make_client_cert() const
{
// Select client certificate.
PCCERT_CONTEXT cert;
if (m_cfg.m_use_preshared) {
// Using pre-shared credentials.
const credentials_tls *preshared = dynamic_cast<credentials_tls*>(m_cfg.m_preshared.get());
cert = preshared && preshared->m_cert ? preshared->m_cert : NULL;
} else {
// Using own credentials.
cert = m_cred.m_cert ? m_cred.m_cert : NULL;
}
size_t size_data, size_list;
sanitizing_blob msg;
msg.reserve(
4 + // SSL header
(size_data =
3 + // Certificate list size
(size_list =
(cert ? 3 + cert->cbCertEncoded : 0)))); // Certificate (optional)
// SSL header
assert(size_data <= 0xffffff);
unsigned int ssl_header = htonl(((unsigned int)handshake_type_certificate << 24) | (unsigned int)size_data);
msg.insert(msg.end(), (unsigned char*)&ssl_header, (unsigned char*)(&ssl_header + 1));
// List size
assert(size_list <= 0xffffff);
msg.push_back((unsigned char)((size_list >> 16) & 0xff));
msg.push_back((unsigned char)((size_list >> 8) & 0xff));
msg.push_back((unsigned char)((size_list ) & 0xff));
if (cert) {
// Cert size
assert(cert->cbCertEncoded <= 0xffffff);
msg.push_back((unsigned char)((cert->cbCertEncoded >> 16) & 0xff));
msg.push_back((unsigned char)((cert->cbCertEncoded >> 8) & 0xff));
msg.push_back((unsigned char)((cert->cbCertEncoded ) & 0xff));
msg.insert(msg.end(), cert->pbCertEncoded, cert->pbCertEncoded + cert->cbCertEncoded);
}
return msg;
}
eap::sanitizing_blob eap::method_tls::make_client_key_exchange(_In_ const sanitizing_blob &pms_enc) const
{
size_t size_data, size_pms_enc = pms_enc.size();
sanitizing_blob msg;
msg.reserve(
4 + // SSL header
(size_data =
2 + // Encrypted pre master secret size
size_pms_enc)); // Encrypted pre master secret
// SSL header
assert(size_data <= 0xffffff);
unsigned int ssl_header = htonl(((unsigned int)handshake_type_client_key_exchange << 24) | (unsigned int)size_data);
msg.insert(msg.end(), (unsigned char*)&ssl_header, (unsigned char*)(&ssl_header + 1));
// Encrypted pre master secret size
assert(size_pms_enc <= 0xffff);
msg.push_back((unsigned char)((size_pms_enc >> 8) & 0xff));
msg.push_back((unsigned char)((size_pms_enc ) & 0xff));
// Encrypted pre master secret
msg.insert(msg.end(), pms_enc.begin(), pms_enc.end());
return msg;
}
eap::sanitizing_blob eap::method_tls::make_change_chiper_spec()
{
static const unsigned char s_msg_css[] = {
(unsigned char)message_type_change_cipher_spec, // SSL record type
3, // SSL major version
1, // SSL minor version
0, // Message size (high-order byte)
1, // Message size (low-order byte)
1, // Message: change_cipher_spec is always "1"
};
return eap::sanitizing_blob(s_msg_css, s_msg_css + _countof(s_msg_css));
}
eap::sanitizing_blob eap::method_tls::make_finished()
{
sanitizing_blob msg;
msg.reserve(
4 + // SSL header
12); // verify_data is 12B
// SSL header
unsigned int ssl_header = htonl(((unsigned int)handshake_type_finished << 24) | 12);
msg.insert(msg.end(), (unsigned char*)&ssl_header, (unsigned char*)(&ssl_header + 1));
// Create label + hash MD5 + hash SHA-1 seed.
vector<unsigned char> lblseed, hash;
const unsigned char s_label[] = "client finished";
lblseed.assign(s_label, s_label + _countof(s_label) - 1);
if (!CryptGetHashParam(m_hash_handshake_msgs_md5, HP_HASHVAL, hash, 0))
throw win_runtime_error(__FUNCTION__ " Error finishing MD5 hash calculation.");
lblseed.insert(lblseed.end(), hash.begin(), hash.end());
if (!CryptGetHashParam(m_hash_handshake_msgs_sha1, HP_HASHVAL, hash, 0))
throw win_runtime_error(__FUNCTION__ " Error finishing SHA-1 hash calculation.");
lblseed.insert(lblseed.end(), hash.begin(), hash.end());
vector<unsigned char> verify(prf(&m_master_secret, sizeof(m_master_secret), lblseed.data(), lblseed.size(), 12));
msg.insert(msg.end(), verify.begin(), verify.end());
return msg;
}
eap::sanitizing_blob eap::method_tls::make_handshake(_In_ const sanitizing_blob &msg)
{
// Create a handshake.
size_t size_msg = msg.size();
eap::sanitizing_blob msg_h;
msg_h.reserve(
@ -531,6 +786,90 @@ eap::sanitizing_blob eap::method_tls::make_handshake(_In_ const sanitizing_blob
}
void eap::method_tls::derive_keys()
{
vector<unsigned char> lblseed;
const unsigned char s_label[] = "key expansion";
lblseed.assign(s_label, s_label + _countof(s_label) - 1);
lblseed.insert(lblseed.end(), (const unsigned char*)&m_random_server, (const unsigned char*)(&m_random_server + 1));
lblseed.insert(lblseed.end(), (const unsigned char*)&m_random_client, (const unsigned char*)(&m_random_client + 1));
vector<unsigned char> key_block(prf(&m_master_secret, sizeof(m_master_secret), lblseed.data(), lblseed.size(),
2*20 + // client_write_MAC_secret & server_write_MAC_secret (SHA1)
2*24 + // client_write_key & server_write_key (3DES)
2* 8)); // client_write_IV & server_write_IV
const unsigned char *data = key_block.data();
static const BLOBHEADER s_key_struct = {
OPAQUEKEYBLOB,
CUR_BLOB_VERSION,
0,
CALG_RC4
};
vector<unsigned char> key;
key.assign((const unsigned char*)&s_key_struct, (const unsigned char*)(&s_key_struct + 1));
key.insert(key.end(), data, data + 20);
if (!m_key_hmac.import(m_cp, key.data(), key.size(), NULL, 0))
throw win_runtime_error(__FUNCTION__ " Error importing client_write_MAC_secret key.");
// TODO: Derive rest of the keys.
}
void eap::method_tls::process_packet(_In_bytecount_(size_pck) const void *_pck, _In_ size_t size_pck)
{
for (const unsigned char *pck = (const unsigned char*)_pck, *pck_end = pck + size_pck; pck < pck_end; ) {
if (pck + 5 > pck_end)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Incomplete message header.");
const message *hdr = (const message*)pck;
const unsigned char
*msg = hdr->data,
*msg_end = msg + ntohs(*(unsigned short*)hdr->length);
if (msg_end > pck_end)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Incomplete message data.");
if (hdr->version.major == 3 && hdr->version.minor == 1) {
// Process TLS 1.0 message.
switch (hdr->type) {
case message_type_handshake:
if (m_cipher_spec) {
sanitizing_blob msg_dec(msg, msg_end);
decrypt_message(msg_dec);
process_handshake(msg_dec.data(), msg_dec.size());
} else
process_handshake(msg, msg_end - msg);
break;
case message_type_change_cipher_spec:
if (msg + 1 > msg_end)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Incomplete change cipher spec message.");
else if (msg[0] != 1)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, string_printf(__FUNCTION__ " Invalid change cipher spec message (expected 1, received %u).", msg[0]));
if (!m_cipher_spec) {
// Resuming previous session.
derive_keys();
m_cipher_spec = true;
}
break;
case message_type_alert:
if (m_cipher_spec) {
sanitizing_blob msg_dec(msg, msg_end);
decrypt_message(msg_dec);
process_alert(msg_dec.data(), msg_dec.size());
} else
process_alert(msg, msg_end - msg);
break;
}
}
pck = msg_end;
}
}
void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_msg, _In_ size_t msg_size)
{
for (const unsigned char *msg = (const unsigned char*)_msg, *msg_end = msg + msg_size; msg < msg_end; ) {
@ -542,11 +881,11 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
*rec = msg + sizeof(unsigned int),
*rec_end = rec + (hdr & 0xffffff);
if (rec_end > msg_end)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Incomplete record rec.");
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Incomplete record data.");
// Process record.
switch (hdr >> 24) {
case server_hello:
case handshake_type_server_hello:
// TLS version
if (rec + 2 > rec_end)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Server SSL/TLS version missing or incomplete.");
@ -575,7 +914,7 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
break;
case certificate: {
case handshake_type_certificate: {
// Certificate list size
if (rec + 3 > rec_end)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Certificate list size missing or incomplete.");
@ -608,20 +947,35 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
break;
}
case certificate_request:
case handshake_type_certificate_request:
m_send_client_cert = true;
break;
case finished:
if (rec_end - rec != 12)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, string_printf(__FUNCTION__ " \"finished\" size incorrect (expected 12B, received %u).", rec_end - rec));
//case handshake_type_server_hello_done:
// m_server_hello_done = true;
vector<unsigned char> hash, hash_sha1;
case handshake_type_finished: {
// According to https://tools.ietf.org/html/rfc5246#section-7.4.9 all verify_data is 12B.
if (rec_end - rec != 12)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, string_printf(__FUNCTION__ " Finished record size incorrect (expected 12B, received %uB).", rec_end - rec));
// Create label + hash MD5 + hash SHA-1 seed.
vector<unsigned char> lblseed, hash;
const unsigned char s_label[] = "server finished";
lblseed.assign(s_label, s_label + _countof(s_label) - 1);
if (!CryptGetHashParam(m_hash_handshake_msgs_md5, HP_HASHVAL, hash, 0))
throw win_runtime_error(__FUNCTION__ " Error finishing MD5 hash calculation.");
if (!CryptGetHashParam(m_hash_handshake_msgs_sha1, HP_HASHVAL, hash_sha1, 0))
lblseed.insert(lblseed.end(), hash.begin(), hash.end());
if (!CryptGetHashParam(m_hash_handshake_msgs_sha1, HP_HASHVAL, hash, 0))
throw win_runtime_error(__FUNCTION__ " Error finishing SHA-1 hash calculation.");
hash.insert(hash.end(), hash_sha1.begin(), hash_sha1.end());
lblseed.insert(lblseed.end(), hash.begin(), hash.end());
if (memcmp(prf(&m_master_secret, sizeof(m_master_secret), lblseed.data(), lblseed.size(), 12).data(), rec, 12))
throw win_runtime_error(ERROR_ENCRYPTION_FAILED, __FUNCTION__ " Integrity check failed.");
m_server_finished = true;
break;
}
}
msg = rec_end;
@ -629,6 +983,115 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
}
void eap::method_tls::process_alert(_In_bytecount_(msg_size) const void *msg, _In_ size_t msg_size)
{
UNREFERENCED_PARAMETER(msg);
if (msg_size < 2)
throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Incomplete alert.");
//if (msg[0] == alert_level_fatal) {
// // Clear session ID to avoid reconnection attempts.
// m_session_id.clear();
//}
}
void eap::method_tls::verify_server_trust()
{
assert(!m_server_cert_chain.empty());
cert_context &cert = m_server_cert_chain.front();
if (!m_cfg.m_server_names.empty()) {
// Check server name.
string subj;
if (!CertGetNameStringA(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, subj))
throw win_runtime_error(__FUNCTION__ " Error retrieving server's certificate subject name.");
for (list<string>::const_iterator s = m_cfg.m_server_names.cbegin(), s_end = m_cfg.m_server_names.cend();; ++s) {
if (s != s_end) {
const char
*a = s->c_str(),
*b = subj.c_str();
size_t
len_a = s->length(),
len_b = subj.length();
if (_stricmp(a, b) == 0 || // Direct match
a[0] == '*' && len_b + 1 >= len_a && _stricmp(a + 1, b + len_b - (len_a - 1)) == 0) // "*..." wildchar match
{
m_module.log_event(&EAPMETHOD_SERVER_NAME_TRUSTED, event_data(subj), event_data::blank);
break;
}
} else
throw win_runtime_error(ERROR_INVALID_DOMAINNAME, string_printf(__FUNCTION__ " Server name %s is not on the list of trusted server names.", subj.c_str()).c_str());
}
}
// Create temporary certificate store of our trusted root CAs.
cert_store store;
if (!store.create(CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, 0, NULL))
throw win_runtime_error(ERROR_INVALID_DOMAINNAME, __FUNCTION__ " Error creating temporary certificate store.");
for (list<cert_context>::const_iterator c = m_cfg.m_trusted_root_ca.cbegin(), c_end = m_cfg.m_trusted_root_ca.cend(); c != c_end; ++c)
CertAddCertificateContextToStore(store, *c, CERT_STORE_ADD_REPLACE_EXISTING, NULL);
// Add all certificates from the server's certificate chain, except the first one.
for (list<cert_context>::const_iterator c = m_server_cert_chain.cbegin(), c_end = m_server_cert_chain.cend(); ++c != c_end;)
CertAddCertificateContextToStore(store, *c, CERT_STORE_ADD_REPLACE_EXISTING, NULL);
// Prepare the certificate chain validation, and check.
CERT_CHAIN_PARA chain_params = {
sizeof(chain_params), // cbSize
{
USAGE_MATCH_TYPE_AND, // RequestedUsage.dwType
{}, // RequestedUsage.Usage
},
#ifdef CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
{}, // RequestedIssuancePolicy
1, // dwUrlRetrievalTimeout (1ms to speed up checking)
#else
#define _S2(x) #x
#define _S(x) _S2(x)
#pragma message(__FILE__ "(" _S(__LINE__) "): warning X0000: Please define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS constant when compiling this project.")
#endif
};
cert_chain_context context;
if (!context.create(NULL, cert, NULL, store, &chain_params, 0))
throw win_runtime_error(ERROR_INVALID_DOMAINNAME, __FUNCTION__ " Error creating certificate chain context.");
// Check chain validation error flags. Ignore CERT_TRUST_IS_UNTRUSTED_ROOT flag when we check root CA explicitly.
if (context->TrustStatus.dwErrorStatus != CERT_TRUST_NO_ERROR &&
(m_cfg.m_trusted_root_ca.empty() || (context->TrustStatus.dwErrorStatus & ~CERT_TRUST_IS_UNTRUSTED_ROOT) != CERT_TRUST_NO_ERROR))
throw win_runtime_error(context->TrustStatus.dwErrorStatus, "Error validating certificate chain.");
if (!m_cfg.m_trusted_root_ca.empty()) {
// Verify Root CA against our trusted root CA list
if (context->cChain != 1)
throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Multiple chain verification not supported.");
if (context->rgpChain[0]->cElement == 0)
throw win_runtime_error(ERROR_NOT_SUPPORTED, __FUNCTION__ " Can not verify empty certificate chain.");
PCCERT_CONTEXT cert_root = context->rgpChain[0]->rgpElement[context->rgpChain[0]->cElement-1]->pCertContext;
for (list<cert_context>::const_iterator c = m_cfg.m_trusted_root_ca.cbegin(), c_end = m_cfg.m_trusted_root_ca.cend();; ++c) {
if (c != c_end) {
if (cert_root->cbCertEncoded == (*c)->cbCertEncoded &&
memcmp(cert_root->pbCertEncoded, (*c)->pbCertEncoded, cert_root->cbCertEncoded) == 0)
{
// Trusted root CA found.
break;
}
} else {
// Not found.
throw win_runtime_error(ERROR_FILE_NOT_FOUND, __FUNCTION__ " Server's certificate not issued by one of configured trusted root CAs.");
}
}
}
m_module.log_event(&EAPMETHOD_SERVER_CERT_TRUSTED, event_data::blank);
}
void eap::method_tls::encrypt_message(_Inout_ sanitizing_blob &msg)
{
// Create a HMAC hash.
@ -689,6 +1152,33 @@ void eap::method_tls::decrypt_message(_Inout_ sanitizing_blob &msg)
}
vector<unsigned char> eap::method_tls::prf(
_In_bytecount_(size_secret ) const void *secret,
_In_ size_t size_secret,
_In_bytecount_(size_lblseed) const void *lblseed,
_In_ size_t size_lblseed,
_In_ size_t size)
{
size_t
L_S1 = (size_secret + 1) / 2,
L_S2 = L_S1;
const void
*S1 = secret,
*S2 = (const unsigned char*)secret + (size_secret - L_S2);
vector<unsigned char>
p_md5 (p_hash(CALG_MD5 , S1, L_S1, lblseed, size_lblseed, size)),
p_sha1(p_hash(CALG_SHA1, S2, L_S2, lblseed, size_lblseed, size)),
p(size);
for (size_t i = 0; i < size; i++)
p[i] = p_md5[i] ^ p_sha1[i];
return p;
}
vector<unsigned char> eap::method_tls::p_hash(
_In_ ALG_ID alg,
_In_bytecount_(size_secret) const void *secret,

2
lib/WinStd

@ -1 +1 @@
Subproject commit bacf47ebbc81621c41e73d88d5563a382ce68e3e
Subproject commit dc2711590306e1c056e49a12f8b8a7c40ee337ea